diff --git a/.ci/clusters/values-psp.yaml b/.ci/clusters/values-psp.yaml new file mode 100644 index 0000000..51f2c67 --- /dev/null +++ b/.ci/clusters/values-psp.yaml @@ -0,0 +1,87 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +kube-prometheus-stack: + enabled: false + prometheusOperator: + enabled: false + grafana: + enabled: false + alertmanager: + enabled: false + prometheus: + enabled: false + +# disabled AntiAffinity +affinity: + anti_affinity: false + +# disable auto recovery and pulsar manager +components: + autorecovery: false + pulsar_manager: false + +zookeeper: + replicaCount: 1 + # Disable pod monitor since we're disabling CRD installation + podMonitor: + enabled: false + +bookkeeper: + replicaCount: 2 + # Disable pod monitor since we're disabling CRD installation + podMonitor: + enabled: false + configData: + diskUsageThreshold: "0.999" + diskUsageWarnThreshold: "0.999" + PULSAR_PREFIX_diskUsageThreshold: "0.999" + PULSAR_PREFIX_diskUsageWarnThreshold: "0.999" + +broker: + replicaCount: 1 + # Disable pod monitor since we're disabling CRD installation + podMonitor: + enabled: false + configData: + ## Enable `autoSkipNonRecoverableData` since bookkeeper is running + ## without persistence + autoSkipNonRecoverableData: "true" + # storage settings + managedLedgerDefaultEnsembleSize: "1" + managedLedgerDefaultWriteQuorum: "1" + managedLedgerDefaultAckQuorum: "1" + +autorecovery: + # Disable pod monitor since we're disabling CRD installation + podMonitor: + enabled: false + +proxy: + replicaCount: 1 + # Disable pod monitor since we're disabling CRD installation + podMonitor: + enabled: false + +toolset: + useProxy: false + +rbac: + enabled: true + psp: true diff --git a/.github/workflows/pulsar-helm-chart-ci.yaml b/.github/workflows/pulsar-helm-chart-ci.yaml index b1ef2d2..b880895 100644 --- a/.github/workflows/pulsar-helm-chart-ci.yaml +++ b/.github/workflows/pulsar-helm-chart-ci.yaml @@ -186,6 +186,9 @@ jobs: - name: ZK & BK TLS Only values_file: .ci/clusters/values-zkbk-tls.yaml shortname: zkbk-tls + - name: PSP + values_file: .ci/clusters/values-psp.yaml + shortname: psp env: k8sVersion: ${{ matrix.k8sVersion.kind_image_tag }} KUBECTL_VERSION: ${{ matrix.k8sVersion.version }} diff --git a/charts/pulsar/templates/autorecovery-rbac.yaml b/charts/pulsar/templates/autorecovery-psp.yaml similarity index 91% rename from charts/pulsar/templates/autorecovery-rbac.yaml rename to charts/pulsar/templates/autorecovery-psp.yaml index 6885497..d089f39 100644 --- a/charts/pulsar/templates/autorecovery-rbac.yaml +++ b/charts/pulsar/templates/autorecovery-psp.yaml @@ -17,7 +17,7 @@ # under the License. # -{{- if and .Values.rbac.enabled .Values.rbac.psp }} +{{- if and (semverCompare "<1.25-0" .Capabilities.KubeVersion.Version) .Values.rbac.enabled .Values.rbac.psp }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -34,13 +34,6 @@ rules: - use --- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: "{{ template "pulsar.fullname" . }}-{{ .Values.autorecovery.component }}" - namespace: {{ template "pulsar.namespace" . }} ---- - apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: diff --git a/charts/pulsar/templates/autorecovery-service-account.yaml b/charts/pulsar/templates/autorecovery-service-account.yaml new file mode 100644 index 0000000..56da030 --- /dev/null +++ b/charts/pulsar/templates/autorecovery-service-account.yaml @@ -0,0 +1,33 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +{{- if or .Values.components.autorecovery .Values.extra.autoRecovery }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.autorecovery.component }}" + namespace: {{ template "pulsar.namespace" . }} + labels: + {{- include "pulsar.standardLabels" . | nindent 4 }} + component: {{ .Values.autorecovery.component }} + annotations: +{{- with .Values.autorecovery.service_account.annotations }} +{{ toYaml . | indent 4 }} +{{- end }} +{{- end }} diff --git a/charts/pulsar/templates/autorecovery-statefulset.yaml b/charts/pulsar/templates/autorecovery-statefulset.yaml index 6c48f40..3d3b4ce 100644 --- a/charts/pulsar/templates/autorecovery-statefulset.yaml +++ b/charts/pulsar/templates/autorecovery-statefulset.yaml @@ -104,9 +104,7 @@ spec: {{ end }} {{- end }} terminationGracePeriodSeconds: {{ .Values.autorecovery.gracePeriod }} - {{- if and .Values.rbac.enabled .Values.rbac.psp }} serviceAccountName: "{{ template "pulsar.fullname" . }}-{{ .Values.autorecovery.component }}" - {{- end}} initContainers: # This initContainer will wait for bookkeeper initnewcluster to complete # before deploying the bookies @@ -130,7 +128,7 @@ spec: resources: {{ toYaml .Values.autorecovery.resources | indent 10 }} {{- end }} - {{- if and .Values.rbac.enabled .Values.rbac.psp }} + {{- if and (semverCompare "<1.25-0" .Capabilities.KubeVersion.Version) .Values.rbac.enabled .Values.rbac.psp }} securityContext: readOnlyRootFilesystem: false {{- end}} diff --git a/charts/pulsar/templates/bookkeeper-cluster-initialize.yaml b/charts/pulsar/templates/bookkeeper-cluster-initialize.yaml index 6de4202..66fa404 100644 --- a/charts/pulsar/templates/bookkeeper-cluster-initialize.yaml +++ b/charts/pulsar/templates/bookkeeper-cluster-initialize.yaml @@ -34,9 +34,7 @@ spec: {{- end }} template: spec: - {{- if and .Values.rbac.enabled .Values.rbac.psp }} serviceAccountName: "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}" - {{- end }} nodeSelector: {{- if .Values.pulsar_metadata.nodeSelector }} {{ toYaml .Values.pulsar_metadata.nodeSelector | indent 8 }} @@ -83,7 +81,7 @@ spec: {{- if .Values.extraInitCommand }} {{ .Values.extraInitCommand }} {{- end }} - {{- if and .Values.rbac.enabled .Values.rbac.psp }} + {{- if and (semverCompare "<1.25-0" .Capabilities.KubeVersion.Version) .Values.rbac.enabled .Values.rbac.psp }} securityContext: readOnlyRootFilesystem: false {{- end }} diff --git a/charts/pulsar/templates/bookkeeper-rbac.yaml b/charts/pulsar/templates/bookkeeper-psp.yaml similarity index 91% rename from charts/pulsar/templates/bookkeeper-rbac.yaml rename to charts/pulsar/templates/bookkeeper-psp.yaml index 0eaf2f2..ed7c6e6 100644 --- a/charts/pulsar/templates/bookkeeper-rbac.yaml +++ b/charts/pulsar/templates/bookkeeper-psp.yaml @@ -17,7 +17,7 @@ # under the License. # -{{- if and .Values.rbac.enabled .Values.rbac.psp }} +{{- if and (semverCompare "<1.25-0" .Capabilities.KubeVersion.Version) .Values.rbac.enabled .Values.rbac.psp }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -34,13 +34,6 @@ rules: - use --- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}" - namespace: {{ template "pulsar.namespace" . }} ---- - apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: diff --git a/charts/pulsar/templates/bookkeeper-service-account.yaml b/charts/pulsar/templates/bookkeeper-service-account.yaml new file mode 100644 index 0000000..245284e --- /dev/null +++ b/charts/pulsar/templates/bookkeeper-service-account.yaml @@ -0,0 +1,33 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +{{- if .Values.components.bookkeeper }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}" + namespace: {{ template "pulsar.namespace" . }} + labels: + {{- include "pulsar.standardLabels" . | nindent 4 }} + component: {{ .Values.bookkeeper.component }} + annotations: +{{- with .Values.bookkeeper.service_account.annotations }} +{{ toYaml . | indent 4 }} +{{- end }} +{{- end }} diff --git a/charts/pulsar/templates/bookkeeper-statefulset.yaml b/charts/pulsar/templates/bookkeeper-statefulset.yaml index 23706e1..a81245c 100644 --- a/charts/pulsar/templates/bookkeeper-statefulset.yaml +++ b/charts/pulsar/templates/bookkeeper-statefulset.yaml @@ -101,9 +101,7 @@ spec: {{ end }} {{- end }} terminationGracePeriodSeconds: {{ .Values.bookkeeper.gracePeriod }} - {{- if and .Values.rbac.enabled .Values.rbac.psp }} serviceAccountName: "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}" - {{- end}} {{- if .Values.bookkeeper.securityContext }} securityContext: {{ toYaml .Values.bookkeeper.securityContext | indent 8 }} @@ -122,7 +120,7 @@ spec: envFrom: - configMapRef: name: "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}" - {{- if and .Values.rbac.enabled .Values.rbac.psp }} + {{- if and (semverCompare "<1.25-0" .Capabilities.KubeVersion.Version) .Values.rbac.enabled .Values.rbac.psp }} securityContext: readOnlyRootFilesystem: false {{- end}} @@ -175,7 +173,7 @@ spec: bin/apply-config-from-env.py conf/bookkeeper.conf; {{- include "pulsar.bookkeeper.zookeeper.tls.settings" . | nindent 10 }} OPTS="${OPTS} -Dlog4j2.formatMsgNoLookups=true" exec bin/pulsar bookie; - {{- if and .Values.rbac.enabled .Values.rbac.psp }} + {{- if and (semverCompare "<1.25-0" .Capabilities.KubeVersion.Version) .Values.rbac.enabled .Values.rbac.psp }} securityContext: readOnlyRootFilesystem: false {{- end}} diff --git a/charts/pulsar/templates/broker-psp.yaml b/charts/pulsar/templates/broker-psp.yaml new file mode 100644 index 0000000..35416be --- /dev/null +++ b/charts/pulsar/templates/broker-psp.yaml @@ -0,0 +1,85 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +{{- if and (semverCompare "<1.25-0" .Capabilities.KubeVersion.Version) .Values.rbac.enabled .Values.rbac.psp }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}-psp" + namespace: {{ template "pulsar.namespace" . }} +rules: + - apiGroups: + - policy + resourceNames: + - "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}" + resources: + - podsecuritypolicies + verbs: + - use +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}-psp" + namespace: {{ template "pulsar.namespace" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}-psp" +subjects: +- kind: ServiceAccount + name: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}-acct" + namespace: {{ template "pulsar.namespace" . }} +--- + +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: +{{- if .Values.rbac.limit_to_namespace }} + name: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}-{{ template "pulsar.namespace" . }}" +{{- else}} + name: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}" +{{- end}} +spec: + readOnlyRootFilesystem: false + privileged: false + allowPrivilegeEscalation: false + runAsUser: + rule: 'RunAsAny' + supplementalGroups: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + seLinux: + rule: 'RunAsAny' + volumes: + - configMap + - emptyDir + - projected + - secret + - downwardAPI + - persistentVolumeClaim +{{- end}} diff --git a/charts/pulsar/templates/broker-rbac.yaml b/charts/pulsar/templates/broker-rbac.yaml index d2145d1..f7c5d8f 100644 --- a/charts/pulsar/templates/broker-rbac.yaml +++ b/charts/pulsar/templates/broker-rbac.yaml @@ -44,13 +44,6 @@ rules: - '*' --- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: "{{ template "pulsar.fullname" . }}-{{ .Values.functions.component }}" - namespace: {{ template "pulsar.namespace" . }} ---- - apiVersion: rbac.authorization.k8s.io/v1 {{- if .Values.functions.rbac.limit_to_namespace }} kind: RoleBinding @@ -74,74 +67,4 @@ subjects: - kind: ServiceAccount name: "{{ template "pulsar.fullname" . }}-{{ .Values.functions.component }}" namespace: {{ template "pulsar.namespace" . }} -{{- end }} - -{{- if and .Values.rbac.enabled .Values.rbac.psp }} ---- - - -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}-psp" - namespace: {{ template "pulsar.namespace" . }} -rules: - - apiGroups: - - policy - resourceNames: - - "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}" - resources: - - podsecuritypolicies - verbs: - - use ---- - -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}-psp" - namespace: {{ template "pulsar.namespace" . }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}-psp" -subjects: -- kind: ServiceAccount - name: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}-acct" - namespace: {{ template "pulsar.namespace" . }} ---- - -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: -{{- if .Values.rbac.limit_to_namespace }} - name: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}-{{ template "pulsar.namespace" . }}" -{{- else}} - name: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}" -{{- end}} -spec: - readOnlyRootFilesystem: false - privileged: false - allowPrivilegeEscalation: false - runAsUser: - rule: 'RunAsAny' - supplementalGroups: - ranges: - - max: 65535 - min: 1 - rule: MustRunAs - fsGroup: - rule: 'MustRunAs' - ranges: - - min: 1 - max: 65535 - seLinux: - rule: 'RunAsAny' - volumes: - - configMap - - emptyDir - - projected - - secret - - downwardAPI - - persistentVolumeClaim -{{- end}} +{{- end }} \ No newline at end of file diff --git a/charts/pulsar/templates/broker-service-account.yaml b/charts/pulsar/templates/broker-service-account.yaml index 6be8b1d..ab9ae60 100644 --- a/charts/pulsar/templates/broker-service-account.yaml +++ b/charts/pulsar/templates/broker-service-account.yaml @@ -30,4 +30,21 @@ metadata: {{- with .Values.broker.service_account.annotations }} {{ toYaml . | indent 4 }} {{- end }} +--- +{{- end }} + +{{- if or .Values.components.functions .Values.extra.functionsAsPods }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.functions.component }}" + namespace: {{ template "pulsar.namespace" . }} + labels: + {{- include "pulsar.standardLabels" . | nindent 4 }} + component: {{ .Values.functions.component }} + annotations: +{{- with .Values.functions.service_account.annotations }} +{{ toYaml . | indent 4 }} +{{- end }} +--- {{- end }} diff --git a/charts/pulsar/templates/broker-statefulset.yaml b/charts/pulsar/templates/broker-statefulset.yaml index 199cc8c..b436cfc 100644 --- a/charts/pulsar/templates/broker-statefulset.yaml +++ b/charts/pulsar/templates/broker-statefulset.yaml @@ -123,7 +123,7 @@ spec: {{- end }} echo "pulsar cluster {{ template "pulsar.cluster.name" . }} isn't initialized yet ... check in 3 seconds ..." && sleep 3; done; - {{- if and .Values.rbac.enabled .Values.rbac.psp }} + {{- if and (semverCompare "<1.25-0" .Capabilities.KubeVersion.Version) .Values.rbac.enabled .Values.rbac.psp }} securityContext: readOnlyRootFilesystem: false {{- end }} @@ -155,7 +155,7 @@ spec: envFrom: - configMapRef: name: "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}" - {{- if and .Values.rbac.enabled .Values.rbac.psp }} + {{- if and (semverCompare "<1.25-0" .Capabilities.KubeVersion.Version) .Values.rbac.enabled .Values.rbac.psp }} securityContext: readOnlyRootFilesystem: false {{- end }} @@ -253,7 +253,7 @@ spec: {{ toYaml .Values.broker.extraVolumeMounts | indent 10 }} {{- end }} {{- include "pulsar.broker.certs.volumeMounts" . | nindent 10 }} - {{- if and .Values.rbac.enabled .Values.rbac.psp }} + {{- if and (semverCompare "<1.25-0" .Capabilities.KubeVersion.Version) .Values.rbac.enabled .Values.rbac.psp }} securityContext: readOnlyRootFilesystem: false {{- end }} diff --git a/charts/pulsar/templates/proxy-rbac.yaml b/charts/pulsar/templates/proxy-psp.yaml similarity index 91% rename from charts/pulsar/templates/proxy-rbac.yaml rename to charts/pulsar/templates/proxy-psp.yaml index 72298ee..768bfde 100644 --- a/charts/pulsar/templates/proxy-rbac.yaml +++ b/charts/pulsar/templates/proxy-psp.yaml @@ -17,7 +17,7 @@ # under the License. # -{{- if and .Values.rbac.enabled .Values.rbac.psp }} +{{- if and (semverCompare "<1.25-0" .Capabilities.KubeVersion.Version) .Values.rbac.enabled .Values.rbac.psp }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -34,13 +34,6 @@ rules: - use --- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}" - namespace: {{ template "pulsar.namespace" . }} ---- - apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: diff --git a/charts/pulsar/templates/proxy-service-account.yaml b/charts/pulsar/templates/proxy-service-account.yaml new file mode 100644 index 0000000..1c3f381 --- /dev/null +++ b/charts/pulsar/templates/proxy-service-account.yaml @@ -0,0 +1,33 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +{{- if .Values.components.proxy }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}" + namespace: {{ template "pulsar.namespace" . }} + labels: + {{- include "pulsar.standardLabels" . | nindent 4 }} + component: {{ .Values.proxy.component }} + annotations: +{{- with .Values.proxy.service_account.annotations }} +{{ toYaml . | indent 4 }} +{{- end }} +{{- end }} diff --git a/charts/pulsar/templates/proxy-statefulset.yaml b/charts/pulsar/templates/proxy-statefulset.yaml index e162134..d50559c 100644 --- a/charts/pulsar/templates/proxy-statefulset.yaml +++ b/charts/pulsar/templates/proxy-statefulset.yaml @@ -103,9 +103,7 @@ spec: {{ end }} {{- end }} terminationGracePeriodSeconds: {{ .Values.proxy.gracePeriod }} - {{- if and .Values.rbac.enabled .Values.rbac.psp }} serviceAccountName: "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}" - {{- end}} initContainers: # This init container will wait for zookeeper to be ready before # deploying the bookies @@ -201,7 +199,7 @@ spec: - name: "sts-{{ .Values.tlsPrefix }}pulsarssl" containerPort: {{ .Values.proxy.ports.pulsarssl }} {{- end }} - {{- if and .Values.rbac.enabled .Values.rbac.psp }} + {{- if and (semverCompare "<1.25-0" .Capabilities.KubeVersion.Version) .Values.rbac.enabled .Values.rbac.psp }} securityContext: readOnlyRootFilesystem: false {{- end }} diff --git a/charts/pulsar/templates/toolset-rbac.yaml b/charts/pulsar/templates/toolset-psp.yaml similarity index 91% rename from charts/pulsar/templates/toolset-rbac.yaml rename to charts/pulsar/templates/toolset-psp.yaml index c08c6f5..b1adc3b 100644 --- a/charts/pulsar/templates/toolset-rbac.yaml +++ b/charts/pulsar/templates/toolset-psp.yaml @@ -17,7 +17,7 @@ # under the License. # -{{- if and .Values.rbac.enabled .Values.rbac.psp }} +{{- if and (semverCompare "<1.25-0" .Capabilities.KubeVersion.Version) .Values.rbac.enabled .Values.rbac.psp }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -34,13 +34,6 @@ rules: - use --- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}" - namespace: {{ template "pulsar.namespace" . }} ---- - apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: diff --git a/charts/pulsar/templates/toolset-service-account.yaml b/charts/pulsar/templates/toolset-service-account.yaml new file mode 100644 index 0000000..32b0b04 --- /dev/null +++ b/charts/pulsar/templates/toolset-service-account.yaml @@ -0,0 +1,33 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +{{- if .Values.components.toolset }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}" + namespace: {{ template "pulsar.namespace" . }} + labels: + {{- include "pulsar.standardLabels" . | nindent 4 }} + component: {{ .Values.toolset.component }} + annotations: +{{- with .Values.toolset.service_account.annotations }} +{{ toYaml . | indent 4 }} +{{- end }} +{{- end }} diff --git a/charts/pulsar/templates/toolset-statefulset.yaml b/charts/pulsar/templates/toolset-statefulset.yaml index 7861b69..3ecd479 100644 --- a/charts/pulsar/templates/toolset-statefulset.yaml +++ b/charts/pulsar/templates/toolset-statefulset.yaml @@ -58,9 +58,7 @@ spec: {{ toYaml .Values.toolset.tolerations | indent 8 }} {{- end }} terminationGracePeriodSeconds: {{ .Values.toolset.gracePeriod }} - {{- if and .Values.rbac.enabled .Values.rbac.psp }} - serviceAccountName: "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}" - {{- end}} + serviceAccountName: "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}" containers: - name: "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}" image: "{{ template "pulsar.imageFullName" (dict "image" .Values.images.broker "root" .) }}" @@ -79,7 +77,7 @@ spec: bin/apply-config-from-env.py conf/bookkeeper.conf; {{- include "pulsar.toolset.zookeeper.tls.settings" . | nindent 10 }} sleep 10000000000 - {{- if and .Values.rbac.enabled .Values.rbac.psp }} + {{- if and (semverCompare "<1.25-0" .Capabilities.KubeVersion.Version) .Values.rbac.enabled .Values.rbac.psp }} securityContext: readOnlyRootFilesystem: false {{- end }} diff --git a/charts/pulsar/templates/zookeeper-rbac.yaml b/charts/pulsar/templates/zookeeper-psp.yaml similarity index 91% rename from charts/pulsar/templates/zookeeper-rbac.yaml rename to charts/pulsar/templates/zookeeper-psp.yaml index 23f80f5..fd32e3c 100644 --- a/charts/pulsar/templates/zookeeper-rbac.yaml +++ b/charts/pulsar/templates/zookeeper-psp.yaml @@ -17,7 +17,7 @@ # under the License. # -{{- if and .Values.rbac.enabled .Values.rbac.psp }} +{{- if and (semverCompare "<1.25-0" .Capabilities.KubeVersion.Version) .Values.rbac.enabled .Values.rbac.psp }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -34,13 +34,6 @@ rules: - use --- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: "{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}" - namespace: {{ template "pulsar.namespace" . }} ---- - apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: diff --git a/charts/pulsar/templates/zookeeper-service-account.yaml b/charts/pulsar/templates/zookeeper-service-account.yaml new file mode 100644 index 0000000..e347677 --- /dev/null +++ b/charts/pulsar/templates/zookeeper-service-account.yaml @@ -0,0 +1,33 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +{{- if .Values.components.zookeeper }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: "{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}" + namespace: {{ template "pulsar.namespace" . }} + labels: + {{- include "pulsar.standardLabels" . | nindent 4 }} + component: {{ .Values.zookeeper.component }} + annotations: +{{- with .Values.zookeeper.service_account.annotations }} +{{ toYaml . | indent 4 }} +{{- end }} +{{- end }} diff --git a/charts/pulsar/templates/zookeeper-statefulset.yaml b/charts/pulsar/templates/zookeeper-statefulset.yaml index 739f617..fde47c4 100644 --- a/charts/pulsar/templates/zookeeper-statefulset.yaml +++ b/charts/pulsar/templates/zookeeper-statefulset.yaml @@ -100,9 +100,7 @@ spec: {{ end }} {{- end }} terminationGracePeriodSeconds: {{ .Values.zookeeper.gracePeriod }} - {{- if and .Values.rbac.enabled .Values.rbac.psp }} serviceAccountName: "{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}" - {{- end }} {{- if .Values.zookeeper.securityContext }} securityContext: {{ toYaml .Values.zookeeper.securityContext | indent 8 }} @@ -163,7 +161,7 @@ spec: {{- $zkConnectCommand = print "nc -q 1 localhost " .Values.zookeeper.ports.client -}} {{- end }} {{- if .Values.zookeeper.probe.readiness.enabled }} - {{- if and .Values.rbac.enabled .Values.rbac.psp }} + {{- if and (semverCompare "<1.25-0" .Capabilities.KubeVersion.Version) .Values.rbac.enabled .Values.rbac.psp }} securityContext: readOnlyRootFilesystem: false {{- end}} diff --git a/charts/pulsar/values.yaml b/charts/pulsar/values.yaml index ecf5a4d..6b8b8a6 100644 --- a/charts/pulsar/values.yaml +++ b/charts/pulsar/values.yaml @@ -376,6 +376,10 @@ zookeeper: # External zookeeper server list in case of global-zk list to create zk cluster across zk deployed on different clusters/namespaces # Example value: "us-east1-pulsar-zookeeper-0.us-east1-pulsar-zookeeper.us-east1.svc.cluster.local:2888:3888,us-east1-pulsar-zookeeper-1.us-east1-pulsar-zookeeper.us-east1.svc.cluster.local:2888:3888,us-east1-pulsar-zookeeper-2.us-east1-pulsar-zookeeper.us-east1.svc.cluster.local:2888:3888,us-west1-pulsar-zookeeper-0.us-west1-pulsar-zookeeper.us-west1.svc.cluster.local:2888:3888,us-west1-pulsar-zookeeper-1.us-west1-pulsar-zookeeper.us-west1.svc.cluster.local:2888:3888,us-west1-pulsar-zookeeper-2.us-west1-pulsar-zookeeper.us-west1.svc.cluster.local:2888:3888" externalZookeeperServerList: "" + ## Zookeeper service account + ## templates/zookeeper-service-account.yaml + service_account: + annotations: {} ## Zookeeper configmap ## templates/zookeeper-configmap.yaml ## @@ -554,7 +558,10 @@ bookkeeper: # ... # selector: # ... - + ## Bookkeeper service account + ## templates/bookkeeper-service-account.yaml + service_account: + annotations: {} ## Bookkeeper configmap ## templates/bookkeeper-configmap.yaml ## @@ -630,6 +637,10 @@ autorecovery: requests: memory: 64Mi cpu: 0.05 + ## Bookkeeper auto-recovery service account + ## templates/autorecovery-service-account.yaml + service_account: + annotations: {} ## Bookkeeper auto-recovery configmap ## templates/autorecovery-configmap.yaml ## @@ -805,6 +816,10 @@ functions: # Set to true to deploy functions with Role and RoleBinding inside the specified namespace rbac: limit_to_namespace: false + ### Functions Worker service account + ## templates/broker-service-account.yaml + service_account: + annotations: {} ## Pulsar: Proxy Cluster ## templates/proxy-statefulset.yaml @@ -881,6 +896,10 @@ proxy: # fieldRef: # apiVersion: v1 # fieldPath: status.podIP + ## Proxy service account + ## templates/proxy-service-account.yaml + service_account: + annotations: {} ## Proxy configmap ## templates/proxy-configmap.yaml ## @@ -1016,8 +1035,12 @@ toolset: # readOnly: true extraVolumes: [] extraVolumeMounts: [] - ## Bastion configmap - ## templates/bastion-configmap.yaml + ## Toolset service account + ## templates/toolset-service-account.yaml + service_account: + annotations: {} + ## Toolset configmap + ## templates/toolset-configmap.yaml ## configData: PULSAR_MEM: >